File name:

Revision FX Twixtor Pro v7.0.3.exe

Full analysis: https://app.any.run/tasks/25e249a2-7654-4c70-8d5c-e769b0aa6e02
Verdict: Malicious activity
Analysis date: June 12, 2024, 08:29:48
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5:

A6387DA43F6ACA9EFE0B3442C3E3F024

SHA1:

17A865596668E465798E0C4D5950DB0140C9AB57

SHA256:

E33571F5301BE454EFC4B4FBD175A2E9E8B9684AD3B64052D802A08335BDB6A1

SSDEEP:

393216:KYIm+5SWldI2tlYhZv2wxUcmhSSZ66mJ6Pv6uM:RImIlaIwuROJ6Pv6uM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Revision FX Twixtor Pro v7.0.3.exe (PID: 6644)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Revision FX Twixtor Pro v7.0.3.exe (PID: 6644)

    • Reads security settings of Internet Explorer

      • TextInputHost.exe (PID: 6948)

    • Process drops legitimate windows executable

      • Revision FX Twixtor Pro v7.0.3.exe (PID: 6644)

    • Creates file in the systems drive root

      • explorer.exe (PID: 3728)

    • Creates a software uninstall entry

      • Revision FX Twixtor Pro v7.0.3.exe (PID: 6644)

  • INFO

    • Checks supported languages

      • Revision FX Twixtor Pro v7.0.3.exe (PID: 6644)
      • TextInputHost.exe (PID: 6948)
      • REVisionLicenseInstaller.exe (PID: 7096)

    • Reads Windows Product ID

      • Revision FX Twixtor Pro v7.0.3.exe (PID: 6644)

    • Reads the computer name

      • Revision FX Twixtor Pro v7.0.3.exe (PID: 6644)
      • TextInputHost.exe (PID: 6948)
      • REVisionLicenseInstaller.exe (PID: 7096)

    • Process checks whether UAC notifications are on

      • Revision FX Twixtor Pro v7.0.3.exe (PID: 6644)

    • Reads CPU info

      • Revision FX Twixtor Pro v7.0.3.exe (PID: 6644)

    • Create files in a temporary directory

      • Revision FX Twixtor Pro v7.0.3.exe (PID: 6644)

    • Reads Environment values

      • Revision FX Twixtor Pro v7.0.3.exe (PID: 6644)

    • Creates files in the program directory

      • Revision FX Twixtor Pro v7.0.3.exe (PID: 6644)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 3728)

    • Reads the time zone

      • Revision FX Twixtor Pro v7.0.3.exe (PID: 6644)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:10:19 07:15:05+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, 32-bit, No debug
PEType: PE32
LinkerVersion: 2.22
CodeSize: 1911808
InitializedDataSize: 2840576
UninitializedDataSize: 7168
EntryPoint: 0x12a0
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 7.0.3.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: -
OriginalFileName: setup.exe
CompanyName: RE:Vision Effects
LegalCopyright: Copyright RE:Vision Effects
FileVersion: 1.0.0.0
ProductName: Twixtor v7 for After Effects and Premiere Pro
ProductVersion: 7.0.3
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start revision fx twixtor pro v7.0.3.exe textinputhost.exe no specs revisionlicenseinstaller.exe no specs explorer.exe no specs explorer.exe no specs rundll32.exe no specs revision fx twixtor pro v7.0.3.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3728C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\twinapi.dll
c:\windows\system32\aepic.dll
4928C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
6476C:\WINDOWS\explorer.exe "C:\Program Files\REVisionEffects\Twixtor7AE"C:\Windows\explorer.exeRevision FX Twixtor Pro v7.0.3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\twinapi.dll
6596"C:\Users\admin\Desktop\Revision FX Twixtor Pro v7.0.3.exe" C:\Users\admin\Desktop\Revision FX Twixtor Pro v7.0.3.exeexplorer.exe
User:
admin
Company:
RE:Vision Effects
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\revision fx twixtor pro v7.0.3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6644"C:\Users\admin\Desktop\Revision FX Twixtor Pro v7.0.3.exe" C:\Users\admin\Desktop\Revision FX Twixtor Pro v7.0.3.exe
explorer.exe
User:
admin
Company:
RE:Vision Effects
Integrity Level:
HIGH
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\revision fx twixtor pro v7.0.3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6948"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Version:
123.26505.0.0
Modules
Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
7096"C:\PROGRA~1\REVISI~1\TWIXTO~1\REVISI~1.EXE" Twixtor7AEC:\Program Files\REVisionEffects\Twixtor7AE\REVisionLicenseInstaller.exeRevision FX Twixtor Pro v7.0.3.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\revisioneffects\twixtor7ae\revisionlicenseinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
12 373
Read events
12 323
Write events
47
Delete events
3

Modification events

(PID) Process:(6644) Revision FX Twixtor Pro v7.0.3.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment
Operation:writeName:BitRock
Value:
1
(PID) Process:(6644) Revision FX Twixtor Pro v7.0.3.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment
Operation:delete valueName:BitRock
Value:
1
(PID) Process:(6644) Revision FX Twixtor Pro v7.0.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Twixtor v7 for After Effects and Premiere Pro 7.0.3
Operation:writeName:DisplayVersion
Value:
7.0.3
(PID) Process:(6644) Revision FX Twixtor Pro v7.0.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Twixtor v7 for After Effects and Premiere Pro 7.0.3
Operation:writeName:Publisher
Value:
RE:Vision Effects
(PID) Process:(6644) Revision FX Twixtor Pro v7.0.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Twixtor v7 for After Effects and Premiere Pro 7.0.3
Operation:writeName:DisplayName
Value:
Twixtor v7 for After Effects and Premiere Pro
(PID) Process:(6644) Revision FX Twixtor Pro v7.0.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Twixtor v7 for After Effects and Premiere Pro 7.0.3
Operation:writeName:UrlInfoAbout
Value:
(PID) Process:(6644) Revision FX Twixtor Pro v7.0.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Twixtor v7 for After Effects and Premiere Pro 7.0.3
Operation:writeName:HelpLink
Value:
(PID) Process:(6644) Revision FX Twixtor Pro v7.0.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Twixtor v7 for After Effects and Premiere Pro 7.0.3
Operation:writeName:Comments
Value:
(PID) Process:(6644) Revision FX Twixtor Pro v7.0.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Twixtor v7 for After Effects and Premiere Pro 7.0.3
Operation:writeName:Contact
Value:
(PID) Process:(6644) Revision FX Twixtor Pro v7.0.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Twixtor v7 for After Effects and Premiere Pro 7.0.3
Operation:writeName:VersionMajor
Value:
7
Executable files
44
Suspicious files
17
Text files
106
Unknown types
0

Dropped files

PID
Process
Filename
Type
6644Revision FX Twixtor Pro v7.0.3.exeC:\Users\admin\AppData\Local\Temp\br5dbe9fexecutable
MD5:A210F1AC135E5331C314CE5F394FB5A5
SHA256:65B32EA2982078FB9A18E88FEEC238CB76ED2AE6C2BB4DDB0F6A9C4F57B1D62B
6644Revision FX Twixtor Pro v7.0.3.exeC:\Users\admin\AppData\Local\Temp\BR6AF1.tmpexecutable
MD5:C04970B55BCF614F24CA75B1DE641AE2
SHA256:5DDEE4AAB3CF33E505F52199D64809125B26DE04FB9970CA589CD8619C859D80
6644Revision FX Twixtor Pro v7.0.3.exeC:\Users\admin\AppData\Local\Temp\br8dd311executable
MD5:08AD4CD2A940379F1DCDBDB9884A1375
SHA256:78827E2B1EF0AAD4F8B1B42D0964064819AA22BFCD537EBAACB30D817EDC06D8
6644Revision FX Twixtor Pro v7.0.3.exeC:\Users\admin\AppData\Local\Temp\br026d22executable
MD5:027491B39A7B16B116E780F55ABC288E
SHA256:EEF69D005BF1C0B715C8D6205400D4755C261DD38DDFBBFE918E6EE91F21F1F0
6644Revision FX Twixtor Pro v7.0.3.exeC:\Users\admin\AppData\Local\Temp\BR68B9.tmpexecutable
MD5:043912C143BD6BC1A55FCD1ACF8E368C
SHA256:F7396330D3AEF2201766CD94E90D7ADA1BEBC2092A3B177274B546488DD21955
6644Revision FX Twixtor Pro v7.0.3.exeC:\Users\admin\AppData\Local\Temp\BR6966.tmpexecutable
MD5:A210F1AC135E5331C314CE5F394FB5A5
SHA256:65B32EA2982078FB9A18E88FEEC238CB76ED2AE6C2BB4DDB0F6A9C4F57B1D62B
6644Revision FX Twixtor Pro v7.0.3.exeC:\Users\admin\AppData\Local\Temp\BR6AC1.tmpexecutable
MD5:027491B39A7B16B116E780F55ABC288E
SHA256:EEF69D005BF1C0B715C8D6205400D4755C261DD38DDFBBFE918E6EE91F21F1F0
6644Revision FX Twixtor Pro v7.0.3.exeC:\Users\admin\AppData\Local\Temp\BR6A72.tmpexecutable
MD5:1199BFA06B996BE79B987C6506328A22
SHA256:481F2FA60CC99BA5784AF304906ACB4E356A704E440D6D141054D8226E73C56D
6644Revision FX Twixtor Pro v7.0.3.exeC:\Users\admin\AppData\Local\Temp\BR6A32.tmpexecutable
MD5:08AD4CD2A940379F1DCDBDB9884A1375
SHA256:78827E2B1EF0AAD4F8B1B42D0964064819AA22BFCD537EBAACB30D817EDC06D8
6644Revision FX Twixtor Pro v7.0.3.exeC:\Users\admin\AppData\Local\Temp\BR6DF1.tmpexecutable
MD5:CD326D958AD1EEB46B99B7AACCAB5EDB
SHA256:B966B6E0CF704E65627B74D9F4E4B7AF31A9CE5D9564D00CFEF822AF427EC88D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
20
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5140
MoUsoCoreWorker.exe
GET
200
2.19.117.22:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1744
RUXIMICS.exe
GET
200
23.200.189.225:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
23.200.189.225:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
POST
200
20.50.201.205:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
GET
200
92.123.128.193:443
https://www.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DyIrb3t-gQF4cnWyAbUBK6UBK7gB&or=w
unknown
s
21.3 Kb
GET
200
92.123.128.193:443
https://www.bing.com/manifest/threshold.appcache
unknown
text
3.36 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
unknown
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5228
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
2.19.117.22:80
crl.microsoft.com
Akamai International B.V.
GB
unknown
4
System
192.168.100.255:138
whitelisted
5140
MoUsoCoreWorker.exe
23.200.189.225:80
www.microsoft.com
Moratelindo Internet Exchange Point
ID
unknown
1744
RUXIMICS.exe
23.200.189.225:80
www.microsoft.com
Moratelindo Internet Exchange Point
ID
unknown
5140
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5456
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.19.117.22
  • 2.19.117.18
whitelisted
www.microsoft.com
  • 23.200.189.225
whitelisted
self.events.data.microsoft.com
  • 51.105.71.137
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Revision FX Twixtor Pro v7.0.3.exe